How to implement machine identity management for security
In IAM, companies must consider whether machines, applications and devices have the appropriate identities and access authorizations when communicating behind the scenes.
Identity access management ensures the right users have the appropriate access to technology resources. Another part of IAM is that the right machines have appropriate access, too.
In IAM, machine means anything that is not a person -- for example, servers, mobile devices, applications, websites, software, APIs, VMs and IoT devices. Machines all need an established identity through the use of digital certificates and cryptographic keys. These security tokens enable internet protocols, such as HTTPS and SSH, to validate and authenticate a machine's identity. Once verified, the machine can communicate securely with other machines, establish trust, and gain authorized access to networks and resources. Companies need machine identity management to keep track of all the machines and to ensure each one has appropriate access permissions. A person may only need to log in once to check an online account, but behind the scenes, potentially hundreds of machines must achieve authentication to securely fulfill the request.
Organizations must proactively manage machine certificates and keys across the entire network of physical and virtual devices. Expired keys can lead to system failures that bring down critical services. Malicious hackers can also exploit unprotected keys. For example, an expired TLS certificate in the State of California's centralized reporting system in 2020 prevented it from tabulating COVID-19 testing results for more than a week, while the supply chain attack on SolarWinds led to the compromise of a Mimecast-issued digital certificate used to authenticate to Microsoft 365 Exchange Web Services.
With stolen or forged machine identities, cybercriminals can gain access to network resources. The machine identity appears legitimate and trustworthy, reducing the chances of detection. One individual user identity gives an attacker access to that individual's data. With a machine identity, an attacker could get access to mission-critical systems and vast amounts of sensitive data.
Importance of machine identity management programs
Machine identity management is a critical component of any cybersecurity program. Unfortunately, managing the lifecycle of machine identities is difficult. This is due to the exponential increase in the number and variety of machines, with different keys and certificates required depending on the machine, communication protocol and request. The lifespan for digital certificates' validity has also seen changes over the past decade. It went from eight years down to a range of three to five years in 2011. Then, in 2020, after a Certification Authority Browser Forum vote, TLS certificate lifespan fell to 398 days.
Organizations need a machine identity management program that enforces best practices throughout the entire lifecycle of each key: enrollment, provisioning, renewal and revocation. Companies also must train staff on the processes involved in the lifecycle of a machine identity.
What a machine identity management program needs
A machine identity management program should establish and maintain visibility into the company's entire IT infrastructure. With complex and dynamic modern IT systems, manually managing certificate lifecycles isn't feasible.
Keep an inventory of digital certificates and keys
Use an automated scanning tool on a network to find the location and activity of every key. The scanning tool should be able to find identities of devices outside the network perimeter, such as IoT environments and the cloud. The cloud is a common location for poorly configured SSH services. Scanning reduces certificate issues by providing details about each certificate, such as its location, certificate authority and expiration date. Consider grouping certificates based on type, expiry, criticality and other relevant criteria. This step makes it easier to implement centralized group policies across devices, workloads and environments.
Various providers offer lifecycle key management software that inventories keys and analyzes and shows the trust relationships enabled by each key:
- SSH Communications Security
Companies can also use open source projects, such as CloudSploit and Scout Suite, which detect potential misconfigurations and security risks.
Conduct regular security token scanning
Security token audits help identify vulnerabilities such as weak passwords, expired or unused keys, and rogue certificates. By maintaining an up-to-date inventory, IT can rotate keys and avoid problems such as ex-employees or contractors having access to active keys or keys no longer meeting security policy requirements. All keys should be stored in a centralized, secure location, such as a hardware security module, with access restricted by strong passwords and role-based access control.
Allow departments to self-deploy certificates
Centralized machine identity management can slow down the development and deployment of machines, applications and services. To avoid that, allow select departments to self-service certificate provisioning, renewal and revocation. However, IT still needs to impose limits, such as no self-signed certificates. Policy rules should require microservices and containers to have a certificate for identification, authentication and encryption. This step secures communications with other containers, microservices, the cloud and the internet.
Create an incident response plan
Finally, IT should devise and implement an incident response plan -- and rehearse it. The security team needs to know how to react to events, such as a compromised certificate or certificate authority. An automated key management tool can roll out bulk changes to all affected certificates and keys across multiple machines.
A machine identity management program is essential to ensure ever-increasing machine interactions do not threaten data security and business continuity. Companies have a responsibility to themselves and other companies to manage machine identities, due to the interconnectivity of so many services and our reliance on their uninterrupted availability.